<!DOCTYPE HTML>
<html lang="en" >
    <!-- Start book Flask框架 -->
    <head>
        <!-- head:start -->
        <meta charset="UTF-8">
        <meta http-equiv="X-UA-Compatible" content="IE=edge" />
        <title>CSRF | Flask框架</title>
        <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
        <meta name="description" content="">
        <meta name="generator" content="GitBook 2.6.7">
        
        
        <meta name="HandheldFriendly" content="true"/>
        <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
        <meta name="apple-mobile-web-app-capable" content="yes">
        <meta name="apple-mobile-web-app-status-bar-style" content="black">
        <link rel="apple-touch-icon-precomposed" sizes="152x152" href="../gitbook/images/apple-touch-icon-precomposed-152.png">
        <link rel="shortcut icon" href="../gitbook/images/favicon.ico" type="image/x-icon">
        
    <link rel="stylesheet" href="../gitbook/style.css">
    
        
        <link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-toggle-chapters/toggle.css">
        
    
        
        <link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-highlight/website.css">
        
    
        
        <link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-search/search.css">
        
    
        
        <link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-fontsettings/website.css">
        
    
    

        
    
    
    <link rel="next" href="../shu-ju-ku.html" />
    
    
    <link rel="prev" href="../mo-ban/flask-wtfbiao-dan.html" />
    

        <!-- head:end -->
    </head>
    <body>
        <!-- body:start -->
        
    <div class="book"
        data-level="2.9"
        data-chapter-title="CSRF"
        data-filepath="mo-ban/csrf.md"
        data-basepath=".."
        data-revision="Sat Apr 14 2018 02:27:55 GMT+0800 (CST)"
        data-innerlanguage="">
    

<div class="book-summary">
    <nav role="navigation">
        <ul class="summary">
            
            
            
            

            

            
    
        <li class="chapter " data-level="0" data-path="index.html">
            
                
                    <a href="../index.html">
                
                        <i class="fa fa-check"></i>
                        
                        Flask框架
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="1" data-path="shi-tu-ji-lu-you.html">
            
                
                    <a href="../shi-tu-ji-lu-you.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>1.</b>
                        
                        视图及路由
                    </a>
            
            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.1" data-path="shi-tu-ji-lu-you/flaskjian-jie.html">
            
                
                    <a href="../shi-tu-ji-lu-you/flaskjian-jie.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>1.1.</b>
                        
                        Flask简介
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="1.2" data-path="shi-tu-ji-lu-you/flaskhuan-jing-an-zhuang.html">
            
                
                    <a href="../shi-tu-ji-lu-you/flaskhuan-jing-an-zhuang.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>1.2.</b>
                        
                        虚拟环境
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="1.3" data-path="shi-tu-ji-lu-you/helloworld.html">
            
                
                    <a href="../shi-tu-ji-lu-you/helloworld.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>1.3.</b>
                        
                        HelloWorld
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="1.4" data-path="shi-tu-ji-lu-you/xiang-guan-pei-zhi-can-shu.html">
            
                
                    <a href="../shi-tu-ji-lu-you/xiang-guan-pei-zhi-can-shu.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>1.4.</b>
                        
                        相关配置参数
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="1.5" data-path="shi-tu-ji-lu-you/lu-you-de-ge-zhong-ding-yi.html">
            
                
                    <a href="../shi-tu-ji-lu-you/lu-you-de-ge-zhong-ding-yi.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>1.5.</b>
                        
                        路由基本定义
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="1.6" data-path="shi-tu-ji-lu-you/shi-tu-chang-yong-luo-ji.html">
            
                
                    <a href="../shi-tu-ji-lu-you/shi-tu-chang-yong-luo-ji.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>1.6.</b>
                        
                        视图常用逻辑
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="1.7" data-path="shi-tu-ji-lu-you/zheng-ze-pi-pei-lu-you.html">
            
                
                    <a href="../shi-tu-ji-lu-you/zheng-ze-pi-pei-lu-you.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>1.7.</b>
                        
                        正则匹配路由
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="1.8" data-path="shi-tu-ji-lu-you/yi-chang-bu-huo.html">
            
                
                    <a href="../shi-tu-ji-lu-you/yi-chang-bu-huo.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>1.8.</b>
                        
                        异常捕获
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="1.9" data-path="shi-tu-ji-lu-you/qing-qiu-gou-zi.html">
            
                
                    <a href="../shi-tu-ji-lu-you/qing-qiu-gou-zi.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>1.9.</b>
                        
                        请求勾子
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="1.10" data-path="shi-tu-ji-lu-you/flaskzhuang-shi-qi-lu-you-ju-ti-shi-xian.html">
            
                
                    <a href="../shi-tu-ji-lu-you/flaskzhuang-shi-qi-lu-you-ju-ti-shi-xian.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>1.10.</b>
                        
                        装饰器路由具体实现
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="1.11" data-path="shi-tu-ji-lu-you/huo-qu-qing-qiu-can-shu.html">
            
                
                    <a href="../shi-tu-ji-lu-you/huo-qu-qing-qiu-can-shu.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>1.11.</b>
                        
                        获取请求参数
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="1.12" data-path="shi-tu-ji-lu-you/zhuang-tai-bao-chi.html">
            
                
                    <a href="../shi-tu-ji-lu-you/zhuang-tai-bao-chi.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>1.12.</b>
                        
                        状态保持
                    </a>
            
            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.12.1" data-path="shi-tu-ji-lu-you/zhuang-tai-bao-chi/cookie.html">
            
                
                    <a href="../shi-tu-ji-lu-you/zhuang-tai-bao-chi/cookie.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>1.12.1.</b>
                        
                        Cookie
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="1.12.2" data-path="shi-tu-ji-lu-you/zhuang-tai-bao-chi/session.html">
            
                
                    <a href="../shi-tu-ji-lu-you/zhuang-tai-bao-chi/session.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>1.12.2.</b>
                        
                        Session
                    </a>
            
            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="1.13" data-path="shi-tu-ji-lu-you/shang-xia-wen.html">
            
                
                    <a href="../shi-tu-ji-lu-you/shang-xia-wen.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>1.13.</b>
                        
                        上下文
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="1.14" data-path="shi-tu-ji-lu-you/flask-script.html">
            
                
                    <a href="../shi-tu-ji-lu-you/flask-script.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>1.14.</b>
                        
                        Flask-Script
                    </a>
            
            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="2" data-path="mo-ban.html">
            
                
                    <a href="../mo-ban.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>2.</b>
                        
                        模板
                    </a>
            
            
            <ul class="articles">
                
    
        <li class="chapter " data-level="2.1" data-path="mo-ban/jinja2mo-ban-yin-qing.html">
            
                
                    <a href="../mo-ban/jinja2mo-ban-yin-qing.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>2.1.</b>
                        
                        Jinja2简介
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="2.2" data-path="mo-ban/jinja2mo-ban-yin-qing-shi-yong.html">
            
                
                    <a href="../mo-ban/jinja2mo-ban-yin-qing-shi-yong.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>2.2.</b>
                        
                        模板的使用
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="2.3" data-path="mo-ban/guo-lv-qi.html">
            
                
                    <a href="../mo-ban/guo-lv-qi.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>2.3.</b>
                        
                        过滤器
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="2.4" data-path="mo-ban/zi-ding-yi-guo-lv-qi.html">
            
                
                    <a href="../mo-ban/zi-ding-yi-guo-lv-qi.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>2.4.</b>
                        
                        自定义过滤器
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="2.5" data-path="mo-ban/kong-zhi-dai-ma-kuai.html">
            
                
                    <a href="../mo-ban/kong-zhi-dai-ma-kuai.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>2.5.</b>
                        
                        控制代码块
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="2.6" data-path="mo-ban/mo-ban-dai-ma-fu-yong.html">
            
                
                    <a href="../mo-ban/mo-ban-dai-ma-fu-yong.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>2.6.</b>
                        
                        模板代码复用
                    </a>
            
            
            <ul class="articles">
                
    
        <li class="chapter " data-level="2.6.1" data-path="mo-ban/mo-ban-dai-ma-fu-yong/hong.html">
            
                
                    <a href="../mo-ban/mo-ban-dai-ma-fu-yong/hong.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>2.6.1.</b>
                        
                        宏
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="2.6.2" data-path="mo-ban/mo-ban-dai-ma-fu-yong/ji-cheng.html">
            
                
                    <a href="../mo-ban/mo-ban-dai-ma-fu-yong/ji-cheng.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>2.6.2.</b>
                        
                        继承
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="2.6.3" data-path="mo-ban/mo-ban-dai-ma-fu-yong/bao-han.html">
            
                
                    <a href="../mo-ban/mo-ban-dai-ma-fu-yong/bao-han.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>2.6.3.</b>
                        
                        包含
                    </a>
            
            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="2.7" data-path="mo-ban/te-you-bian-liang-he-han-shu.html">
            
                
                    <a href="../mo-ban/te-you-bian-liang-he-han-shu.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>2.7.</b>
                        
                        特有变量和函数
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="2.8" data-path="mo-ban/flask-wtfbiao-dan.html">
            
                
                    <a href="../mo-ban/flask-wtfbiao-dan.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>2.8.</b>
                        
                        Flask-WTF表单
                    </a>
            
            
        </li>
    
        <li class="chapter active" data-level="2.9" data-path="mo-ban/csrf.html">
            
                
                    <a href="../mo-ban/csrf.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>2.9.</b>
                        
                        CSRF
                    </a>
            
            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="3" data-path="shu-ju-ku.html">
            
                
                    <a href="../shu-ju-ku.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>3.</b>
                        
                        数据库
                    </a>
            
            
            <ul class="articles">
                
    
        <li class="chapter " data-level="3.1" data-path="shu-ju-ku/orm.html">
            
                
                    <a href="../shu-ju-ku/orm.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>3.1.</b>
                        
                        ORM
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="3.2" data-path="shu-ju-ku/flask-sqlalchemyan-zhuang-ji-she-zhi.html">
            
                
                    <a href="../shu-ju-ku/flask-sqlalchemyan-zhuang-ji-she-zhi.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>3.2.</b>
                        
                        Flask-SQLAlchemy安装及配置
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="3.3" data-path="shu-ju-ku/shu-ju-ku-de-ji-ben-cao-zuo.html">
            
                
                    <a href="../shu-ju-ku/shu-ju-ku-de-ji-ben-cao-zuo.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>3.3.</b>
                        
                        数据库的基本操作
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="3.4" data-path="shu-ju-ku/zong-he-an-4f8b-tu-shu-guan-li.html">
            
                
                    <a href="../shu-ju-ku/zong-he-an-4f8b-tu-shu-guan-li.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>3.4.</b>
                        
                        综合案例-图书管理
                    </a>
            
            
            <ul class="articles">
                
    
        <li class="chapter " data-level="3.4.1" data-path="shu-ju-ku/zong-he-an-4f8b-tu-shu-guan-li/ding-yi-mo-xing.html">
            
                
                    <a href="../shu-ju-ku/zong-he-an-4f8b-tu-shu-guan-li/ding-yi-mo-xing.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>3.4.1.</b>
                        
                        定义模型
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="3.4.2" data-path="shu-ju-ku/zong-he-an-4f8b-tu-shu-guan-li/shu-ju-ku-biao-chuang-5efa26-ce-shi-shu-ju-tian-jia.html">
            
                
                    <a href="../shu-ju-ku/zong-he-an-4f8b-tu-shu-guan-li/shu-ju-ku-biao-chuang-5efa26-ce-shi-shu-ju-tian-jia.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>3.4.2.</b>
                        
                        数据库表创建&amp;测试数据添加
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="3.4.3" data-path="shu-ju-ku/zong-he-an-4f8b-tu-shu-guan-li/shu-ju-xian-793a26-biao-dan-tian-jia.html">
            
                
                    <a href="../shu-ju-ku/zong-he-an-4f8b-tu-shu-guan-li/shu-ju-xian-793a26-biao-dan-tian-jia.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>3.4.3.</b>
                        
                        数据显示&amp;表单添加
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="3.4.4" data-path="shu-ju-ku/zong-he-an-4f8b-tu-shu-guan-li/biao-dan-yan-zheng.html">
            
                
                    <a href="../shu-ju-ku/zong-he-an-4f8b-tu-shu-guan-li/biao-dan-yan-zheng.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>3.4.4.</b>
                        
                        表单验证
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="3.4.5" data-path="shu-ju-ku/zong-he-an-4f8b-tu-shu-guan-li/shan-chu-shu-ju.html">
            
                
                    <a href="../shu-ju-ku/zong-he-an-4f8b-tu-shu-guan-li/shan-chu-shu-ju.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>3.4.5.</b>
                        
                        删除数据
                    </a>
            
            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="3.5" data-path="shu-ju-ku/duo-dui-duo-yan-lian.html">
            
                
                    <a href="../shu-ju-ku/duo-dui-duo-yan-lian.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>3.5.</b>
                        
                        多对多演练
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="3.6" data-path="shu-ju-ku/shu-ju-ku-qian-yi.html">
            
                
                    <a href="../shu-ju-ku/shu-ju-ku-qian-yi.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>3.6.</b>
                        
                        数据库迁移
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="3.7" data-path="shu-ju-ku/qi-ta.html">
            
                
                    <a href="../shu-ju-ku/qi-ta.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>3.7.</b>
                        
                        信号机制
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="3.8" data-path="shu-ju-ku/chang-jian-guan-xi-mo-ban-dai-ma.html">
            
                
                    <a href="../shu-ju-ku/chang-jian-guan-xi-mo-ban-dai-ma.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>3.8.</b>
                        
                        常见关系模板代码
                    </a>
            
            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="4" data-path="lan-tu-dan-yuan-ce-shi.html">
            
                
                    <a href="../lan-tu-dan-yuan-ce-shi.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>4.</b>
                        
                        蓝图&amp;单元测试
                    </a>
            
            
            <ul class="articles">
                
    
        <li class="chapter " data-level="4.1" data-path="lan-tu-dan-yuan-ce-shi/lan-tu.html">
            
                
                    <a href="../lan-tu-dan-yuan-ce-shi/lan-tu.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>4.1.</b>
                        
                        蓝图
                    </a>
            
            
        </li>
    
        <li class="chapter " data-level="4.2" data-path="lan-tu-dan-yuan-ce-shi/dan-yuan-ce-shi.html">
            
                
                    <a href="../lan-tu-dan-yuan-ce-shi/dan-yuan-ce-shi.html">
                
                        <i class="fa fa-check"></i>
                        
                            <b>4.2.</b>
                        
                        单元测试
                    </a>
            
            
        </li>
    

            </ul>
            
        </li>
    


            
            <li class="divider"></li>
            <li>
                <a href="https://www.gitbook.com" target="blank" class="gitbook-link">
                    Published with GitBook
                </a>
            </li>
            
        </ul>
    </nav>
</div>

    <div class="book-body">
        <div class="body-inner">
            <div class="book-header" role="navigation">
    <!-- Actions Left -->
    

    <!-- Title -->
    <h1>
        <i class="fa fa-circle-o-notch fa-spin"></i>
        <a href="../" >Flask框架</a>
    </h1>
</div>

            <div class="page-wrapper" tabindex="-1" role="main">
                <div class="page-inner">
                
                
                    <section class="normal" id="section-">
                    
                        <h1 id="csrf">CSRF</h1>
<ul>
<li><code>CSRF</code>&#x5168;&#x62FC;&#x4E3A;<code>Cross Site Request Forgery</code>&#xFF0C;&#x8BD1;&#x4E3A;&#x8DE8;&#x7AD9;&#x8BF7;&#x6C42;&#x4F2A;&#x9020;&#x3002;</li>
<li><code>CSRF</code>&#x6307;&#x653B;&#x51FB;&#x8005;&#x76D7;&#x7528;&#x4E86;&#x4F60;&#x7684;&#x8EAB;&#x4EFD;&#xFF0C;&#x4EE5;&#x4F60;&#x7684;&#x540D;&#x4E49;&#x53D1;&#x9001;&#x6076;&#x610F;&#x8BF7;&#x6C42;&#x3002;<ul>
<li>&#x5305;&#x62EC;&#xFF1A;&#x4EE5;&#x4F60;&#x540D;&#x4E49;&#x53D1;&#x9001;&#x90AE;&#x4EF6;&#xFF0C;&#x53D1;&#x6D88;&#x606F;&#xFF0C;&#x76D7;&#x53D6;&#x4F60;&#x7684;&#x8D26;&#x53F7;&#xFF0C;&#x751A;&#x81F3;&#x4E8E;&#x8D2D;&#x4E70;&#x5546;&#x54C1;&#xFF0C;&#x865A;&#x62DF;&#x8D27;&#x5E01;&#x8F6C;&#x8D26;......</li>
</ul>
</li>
<li>&#x9020;&#x6210;&#x7684;&#x95EE;&#x9898;&#xFF1A;&#x4E2A;&#x4EBA;&#x9690;&#x79C1;&#x6CC4;&#x9732;&#x4EE5;&#x53CA;&#x8D22;&#x4EA7;&#x5B89;&#x5168;&#x3002;</li>
</ul>
<h2 id="csrf&#x653B;&#x51FB;&#x793A;&#x610F;&#x56FE;">CSRF&#x653B;&#x51FB;&#x793A;&#x610F;&#x56FE;</h2>
<ul>
<li>&#x5BA2;&#x6237;&#x7AEF;&#x8BBF;&#x95EE;&#x670D;&#x52A1;&#x5668;&#x65F6;&#x6CA1;&#x6709;&#x540C;&#x670D;&#x52A1;&#x5668;&#x505A;&#x5B89;&#x5168;&#x9A8C;&#x8BC1;</li>
</ul>
<p><img src="../assets/CSRF&#x653B;&#x51FB;&#x8FC7;&#x7A0B;.png" alt=""></p>
<h2 id="&#x9632;&#x6B62;-csrf-&#x653B;&#x51FB;">&#x9632;&#x6B62; CSRF &#x653B;&#x51FB;</h2>
<h3 id="&#x6B65;&#x9AA4;">&#x6B65;&#x9AA4;</h3>
<ol>
<li>&#x5728;&#x5BA2;&#x6237;&#x7AEF;&#x5411;&#x540E;&#x7AEF;&#x8BF7;&#x6C42;&#x754C;&#x9762;&#x6570;&#x636E;&#x7684;&#x65F6;&#x5019;&#xFF0C;&#x540E;&#x7AEF;&#x4F1A;&#x5F80;&#x54CD;&#x5E94;&#x4E2D;&#x7684; cookie &#x4E2D;&#x8BBE;&#x7F6E; csrf_token &#x7684;&#x503C;</li>
<li>&#x5728; Form &#x8868;&#x5355;&#x4E2D;&#x6DFB;&#x52A0;&#x4E00;&#x4E2A;&#x9690;&#x85CF;&#x7684;&#x7684;&#x5B57;&#x6BB5;&#xFF0C;&#x503C;&#x4E5F;&#x662F; csrf_token</li>
<li>&#x5728;&#x7528;&#x6237;&#x70B9;&#x51FB;&#x63D0;&#x4EA4;&#x7684;&#x65F6;&#x5019;&#xFF0C;&#x4F1A;&#x5E26;&#x4E0A;&#x8FD9;&#x4E24;&#x4E2A;&#x503C;&#x5411;&#x540E;&#x53F0;&#x53D1;&#x8D77;&#x8BF7;&#x6C42;</li>
<li>&#x540E;&#x7AEF;&#x63A5;&#x53D7;&#x5230;&#x8BF7;&#x6C42;&#xFF0C;&#x4EE5;&#x4F1A;&#x4EE5;&#x4E0B;&#x51E0;&#x4EF6;&#x4E8B;&#x4EF6;&#xFF1A;<ul>
<li>&#x4ECE; cookie&#x4E2D;&#x53D6;&#x51FA; csrf_token</li>
<li>&#x4ECE; &#x8868;&#x5355;&#x6570;&#x636E;&#x4E2D;&#x53D6;&#x51FA;&#x6765;&#x9690;&#x85CF;&#x7684; csrf_token &#x7684;&#x503C;</li>
<li>&#x8FDB;&#x884C;&#x5BF9;&#x6BD4;</li>
</ul>
</li>
<li>&#x5982;&#x679C;&#x6BD4;&#x8F83;&#x4E4B;&#x540E;&#x4E24;&#x503C;&#x4E00;&#x6837;&#xFF0C;&#x90A3;&#x4E48;&#x4EE3;&#x8868;&#x662F;&#x6B63;&#x5E38;&#x7684;&#x8BF7;&#x6C42;&#xFF0C;&#x5982;&#x679C;&#x6CA1;&#x53D6;&#x5230;&#x6216;&#x8005;&#x6BD4;&#x8F83;&#x4E0D;&#x4E00;&#x6837;&#xFF0C;&#x4EE3;&#x8868;&#x4E0D;&#x662F;&#x6B63;&#x5E38;&#x7684;&#x8BF7;&#x6C42;&#xFF0C;&#x4E0D;&#x6267;&#x884C;&#x4E0B;&#x4E00;&#x6B65;&#x64CD;&#x4F5C;</li>
</ol>
<h3 id="&#x4EE3;&#x7801;&#x6F14;&#x793A;">&#x4EE3;&#x7801;&#x6F14;&#x793A;</h3>
<h4 id="&#x672A;&#x8FDB;&#x884C;-csrf-&#x6821;&#x9A8C;&#x7684;-weba">&#x672A;&#x8FDB;&#x884C; csrf &#x6821;&#x9A8C;&#x7684; WebA</h4>
<ul>
<li>&#x540E;&#x7AEF;&#x4EE3;&#x7801;&#x5B9E;&#x73B0;</li>
</ul>
<pre><code class="lang-python">
<span class="hljs-keyword">from</span> flask <span class="hljs-keyword">import</span> Flask, render_template, make_response
<span class="hljs-keyword">from</span> flask <span class="hljs-keyword">import</span> redirect
<span class="hljs-keyword">from</span> flask <span class="hljs-keyword">import</span> request
<span class="hljs-keyword">from</span> flask <span class="hljs-keyword">import</span> url_for

app = Flask(__name__)


<span class="hljs-decorator">@app.route(&apos;/&apos;, methods=[&quot;POST&quot;, &quot;GET&quot;])</span>
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">index</span><span class="hljs-params">()</span>:</span>
    <span class="hljs-keyword">if</span> request.method == <span class="hljs-string">&quot;POST&quot;</span>:
        <span class="hljs-comment"># &#x53D6;&#x5230;&#x8868;&#x5355;&#x4E2D;&#x63D0;&#x4EA4;&#x4E0A;&#x6765;&#x7684;&#x53C2;&#x6570;</span>
        username = request.form.get(<span class="hljs-string">&quot;username&quot;</span>)
        password = request.form.get(<span class="hljs-string">&quot;password&quot;</span>)

        <span class="hljs-keyword">if</span> <span class="hljs-keyword">not</span> all([username, password]):
            print(<span class="hljs-string">&apos;&#x53C2;&#x6570;&#x9519;&#x8BEF;&apos;</span>)
        <span class="hljs-keyword">else</span>:
            print(username, password)
            <span class="hljs-keyword">if</span> username == <span class="hljs-string">&apos;laowang&apos;</span> <span class="hljs-keyword">and</span> password == <span class="hljs-string">&apos;1234&apos;</span>:
                <span class="hljs-comment"># &#x72B6;&#x6001;&#x4FDD;&#x6301;&#xFF0C;&#x8BBE;&#x7F6E;&#x7528;&#x6237;&#x540D;&#x5230;cookie&#x4E2D;&#x8868;&#x793A;&#x767B;&#x5F55;&#x6210;&#x529F;</span>
                response = redirect(url_for(<span class="hljs-string">&apos;transfer&apos;</span>))
                response.set_cookie(<span class="hljs-string">&apos;username&apos;</span>, username)
                <span class="hljs-keyword">return</span> response
            <span class="hljs-keyword">else</span>:
                print(<span class="hljs-string">&apos;&#x5BC6;&#x7801;&#x9519;&#x8BEF;&apos;</span>)

    <span class="hljs-keyword">return</span> render_template(<span class="hljs-string">&apos;temp_login.html&apos;</span>)


<span class="hljs-decorator">@app.route(&apos;/transfer&apos;, methods=[&quot;POST&quot;, &quot;GET&quot;])</span>
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">transfer</span><span class="hljs-params">()</span>:</span>
    <span class="hljs-comment"># &#x4ECE;cookie&#x4E2D;&#x53D6;&#x5230;&#x7528;&#x6237;&#x540D;</span>
    username = request.cookies.get(<span class="hljs-string">&apos;username&apos;</span>, <span class="hljs-keyword">None</span>)
    <span class="hljs-comment"># &#x5982;&#x679C;&#x6CA1;&#x6709;&#x53D6;&#x5230;&#xFF0C;&#x4EE3;&#x8868;&#x6CA1;&#x6709;&#x767B;&#x5F55;</span>
    <span class="hljs-keyword">if</span> <span class="hljs-keyword">not</span> username:
        <span class="hljs-keyword">return</span> redirect(url_for(<span class="hljs-string">&apos;index&apos;</span>))

    <span class="hljs-keyword">if</span> request.method == <span class="hljs-string">&quot;POST&quot;</span>:
        to_account = request.form.get(<span class="hljs-string">&quot;to_account&quot;</span>)
        money = request.form.get(<span class="hljs-string">&quot;money&quot;</span>)
        print(<span class="hljs-string">&apos;&#x5047;&#x88C5;&#x6267;&#x884C;&#x8F6C;&#x64CD;&#x4F5C;&#xFF0C;&#x5C06;&#x5F53;&#x524D;&#x767B;&#x5F55;&#x7528;&#x6237;&#x7684;&#x94B1;&#x8F6C;&#x8D26;&#x5230;&#x6307;&#x5B9A;&#x8D26;&#x6237;&apos;</span>)
        <span class="hljs-keyword">return</span> <span class="hljs-string">&apos;&#x8F6C;&#x8D26; %s &#x5143;&#x5230; %s &#x6210;&#x529F;&apos;</span> % (money, to_account)

    <span class="hljs-comment"># &#x6E32;&#x67D3;&#x8F6C;&#x6362;&#x9875;&#x9762;</span>
    response = make_response(render_template(<span class="hljs-string">&apos;temp_transfer.html&apos;</span>))
    <span class="hljs-keyword">return</span> response

<span class="hljs-keyword">if</span> __name__ == <span class="hljs-string">&apos;__main__&apos;</span>:
    app.run(debug=<span class="hljs-keyword">True</span>, port=<span class="hljs-number">9000</span>)
</code></pre>
<ul>
<li>&#x524D;&#x7AEF;&#x767B;&#x5F55;&#x9875;&#x9762;&#x4EE3;&#x7801;</li>
</ul>
<pre><code class="lang-html"><span class="hljs-doctype">&lt;!DOCTYPE html&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-title">html</span> <span class="hljs-attribute">lang</span>=<span class="hljs-value">&quot;en&quot;</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-title">head</span>&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">meta</span> <span class="hljs-attribute">charset</span>=<span class="hljs-value">&quot;UTF-8&quot;</span>&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">title</span>&gt;</span>&#x767B;&#x5F55;<span class="hljs-tag">&lt;/<span class="hljs-title">title</span>&gt;</span>
<span class="hljs-tag">&lt;/<span class="hljs-title">head</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-title">body</span>&gt;</span>

<span class="hljs-tag">&lt;<span class="hljs-title">h1</span>&gt;</span>&#x6211;&#x662F;&#x7F51;&#x7AD9;A&#xFF0C;&#x767B;&#x5F55;&#x9875;&#x9762;<span class="hljs-tag">&lt;/<span class="hljs-title">h1</span>&gt;</span>

<span class="hljs-tag">&lt;<span class="hljs-title">form</span> <span class="hljs-attribute">method</span>=<span class="hljs-value">&quot;post&quot;</span>&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">label</span>&gt;</span>&#x7528;&#x6237;&#x540D;&#xFF1A;<span class="hljs-tag">&lt;/<span class="hljs-title">label</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">input</span> <span class="hljs-attribute">type</span>=<span class="hljs-value">&quot;text&quot;</span> <span class="hljs-attribute">name</span>=<span class="hljs-value">&quot;username&quot;</span> <span class="hljs-attribute">placeholder</span>=<span class="hljs-value">&quot;&#x8BF7;&#x8F93;&#x5165;&#x7528;&#x6237;&#x540D;&quot;</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">br</span>/&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">label</span>&gt;</span>&#x5BC6;&#x7801;&#xFF1A;<span class="hljs-tag">&lt;/<span class="hljs-title">label</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">input</span> <span class="hljs-attribute">type</span>=<span class="hljs-value">&quot;password&quot;</span> <span class="hljs-attribute">name</span>=<span class="hljs-value">&quot;password&quot;</span> <span class="hljs-attribute">placeholder</span>=<span class="hljs-value">&quot;&#x8BF7;&#x8F93;&#x5165;&#x5BC6;&#x7801;&quot;</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">br</span>/&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">input</span> <span class="hljs-attribute">type</span>=<span class="hljs-value">&quot;submit&quot;</span> <span class="hljs-attribute">value</span>=<span class="hljs-value">&quot;&#x767B;&#x5F55;&quot;</span>&gt;</span>
<span class="hljs-tag">&lt;/<span class="hljs-title">form</span>&gt;</span>

<span class="hljs-tag">&lt;/<span class="hljs-title">body</span>&gt;</span>
<span class="hljs-tag">&lt;/<span class="hljs-title">html</span>&gt;</span>
</code></pre>
<ul>
<li>&#x524D;&#x7AEF;&#x8F6C;&#x8D26;&#x9875;&#x9762;&#x4EE3;&#x7801;</li>
</ul>
<pre><code class="lang-html"><span class="hljs-doctype">&lt;!DOCTYPE html&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-title">html</span> <span class="hljs-attribute">lang</span>=<span class="hljs-value">&quot;en&quot;</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-title">head</span>&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">meta</span> <span class="hljs-attribute">charset</span>=<span class="hljs-value">&quot;UTF-8&quot;</span>&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">title</span>&gt;</span>&#x8F6C;&#x8D26;<span class="hljs-tag">&lt;/<span class="hljs-title">title</span>&gt;</span>
<span class="hljs-tag">&lt;/<span class="hljs-title">head</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-title">body</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-title">h1</span>&gt;</span>&#x6211;&#x662F;&#x7F51;&#x7AD9;A&#xFF0C;&#x8F6C;&#x8D26;&#x9875;&#x9762;<span class="hljs-tag">&lt;/<span class="hljs-title">h1</span>&gt;</span>

<span class="hljs-tag">&lt;<span class="hljs-title">form</span> <span class="hljs-attribute">method</span>=<span class="hljs-value">&quot;post&quot;</span>&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">label</span>&gt;</span>&#x8D26;&#x6237;&#xFF1A;<span class="hljs-tag">&lt;/<span class="hljs-title">label</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">input</span> <span class="hljs-attribute">type</span>=<span class="hljs-value">&quot;text&quot;</span> <span class="hljs-attribute">name</span>=<span class="hljs-value">&quot;to_account&quot;</span> <span class="hljs-attribute">placeholder</span>=<span class="hljs-value">&quot;&#x8BF7;&#x8F93;&#x5165;&#x8981;&#x8F6C;&#x8D26;&#x7684;&#x8D26;&#x6237;&quot;</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">br</span>/&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">label</span>&gt;</span>&#x91D1;&#x989D;&#xFF1A;<span class="hljs-tag">&lt;/<span class="hljs-title">label</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">input</span> <span class="hljs-attribute">type</span>=<span class="hljs-value">&quot;number&quot;</span> <span class="hljs-attribute">name</span>=<span class="hljs-value">&quot;money&quot;</span> <span class="hljs-attribute">placeholder</span>=<span class="hljs-value">&quot;&#x8BF7;&#x8F93;&#x5165;&#x8F6C;&#x8D26;&#x91D1;&#x989D;&quot;</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">br</span>/&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">input</span> <span class="hljs-attribute">type</span>=<span class="hljs-value">&quot;submit&quot;</span> <span class="hljs-attribute">value</span>=<span class="hljs-value">&quot;&#x8F6C;&#x8D26;&quot;</span>&gt;</span>
<span class="hljs-tag">&lt;/<span class="hljs-title">form</span>&gt;</span>

<span class="hljs-tag">&lt;/<span class="hljs-title">body</span>&gt;</span>
<span class="hljs-tag">&lt;/<span class="hljs-title">html</span>&gt;</span>
</code></pre>
<blockquote>
<p>&#x8FD0;&#x884C;&#x6D4B;&#x8BD5;&#xFF0C;&#x5982;&#x679C;&#x5728;&#x672A;&#x767B;&#x5F55;&#x7684;&#x60C5;&#x51B5;&#x4E0B;&#xFF0C;&#x4E0D;&#x80FD;&#x76F4;&#x63A5;&#x8FDB;&#x5165;&#x8F6C;&#x8D26;&#x9875;&#x9762;&#xFF0C;&#x6D4B;&#x8BD5;&#x8F6C;&#x8D26;&#x662F;&#x6210;&#x529F;&#x7684;</p>
</blockquote>
<h4 id="&#x653B;&#x51FB;&#x7F51;&#x7AD9;b&#x7684;&#x4EE3;&#x7801;">&#x653B;&#x51FB;&#x7F51;&#x7AD9;B&#x7684;&#x4EE3;&#x7801;</h4>
<ul>
<li>&#x540E;&#x7AEF;&#x4EE3;&#x7801;&#x5B9E;&#x73B0;</li>
</ul>
<pre><code class="lang-html">from flask import Flask
from flask import render_template

app = Flask(__name__)

@app.route(&apos;/&apos;)
def index():
    return render_template(&apos;temp_index.html&apos;)

if __name__ == &apos;__main__&apos;:
    app.run(debug=True, port=8000)
</code></pre>
<ul>
<li>&#x524D;&#x7AEF;&#x4EE3;&#x7801;&#x5B9E;&#x73B0;</li>
</ul>
<pre><code class="lang-html"><span class="hljs-doctype">&lt;!DOCTYPE html&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-title">html</span> <span class="hljs-attribute">lang</span>=<span class="hljs-value">&quot;en&quot;</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-title">head</span>&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">meta</span> <span class="hljs-attribute">charset</span>=<span class="hljs-value">&quot;UTF-8&quot;</span>&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">title</span>&gt;</span>Title<span class="hljs-tag">&lt;/<span class="hljs-title">title</span>&gt;</span>
<span class="hljs-tag">&lt;/<span class="hljs-title">head</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-title">body</span>&gt;</span>

<span class="hljs-tag">&lt;<span class="hljs-title">h1</span>&gt;</span>&#x6211;&#x662F;&#x7F51;&#x7AD9;B<span class="hljs-tag">&lt;/<span class="hljs-title">h1</span>&gt;</span>

<span class="hljs-tag">&lt;<span class="hljs-title">form</span> <span class="hljs-attribute">method</span>=<span class="hljs-value">&quot;post&quot;</span> <span class="hljs-attribute">action</span>=<span class="hljs-value">&quot;http://127.0.0.1:9000/transfer&quot;</span>&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">input</span> <span class="hljs-attribute">type</span>=<span class="hljs-value">&quot;hidden&quot;</span> <span class="hljs-attribute">name</span>=<span class="hljs-value">&quot;to_account&quot;</span> <span class="hljs-attribute">value</span>=<span class="hljs-value">&quot;999999&quot;</span>&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">input</span> <span class="hljs-attribute">type</span>=<span class="hljs-value">&quot;hidden&quot;</span> <span class="hljs-attribute">name</span>=<span class="hljs-value">&quot;money&quot;</span> <span class="hljs-attribute">value</span>=<span class="hljs-value">&quot;190000&quot;</span> <span class="hljs-attribute">hidden</span>&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">input</span> <span class="hljs-attribute">type</span>=<span class="hljs-value">&quot;submit&quot;</span> <span class="hljs-attribute">value</span>=<span class="hljs-value">&quot;&#x70B9;&#x51FB;&#x9886;&#x53D6;&#x4F18;&#x60E0;&#x5238;&quot;</span>&gt;</span>
<span class="hljs-tag">&lt;/<span class="hljs-title">form</span>&gt;</span>

<span class="hljs-tag">&lt;/<span class="hljs-title">body</span>&gt;</span>
<span class="hljs-tag">&lt;/<span class="hljs-title">html</span>&gt;</span>
</code></pre>
<blockquote>
<p>&#x8FD0;&#x884C;&#x6D4B;&#x8BD5;&#xFF0C;&#x5728;&#x7528;&#x6237;&#x767B;&#x5F55;&#x7F51;&#x7AD9;A&#x7684;&#x60C5;&#x51B5;&#x4E0B;&#xFF0C;&#x70B9;&#x51FB;&#x7F51;&#x7AD9;B&#x7684;&#x6309;&#x94AE;&#xFF0C;&#x53EF;&#x4EE5;&#x5B9E;&#x73B0;&#x4F2A;&#x9020;&#x8BBF;&#x95EE;</p>
</blockquote>
<h4 id="&#x5728;&#x7F51;&#x7AD9;a&#x4E2D;&#x6A21;&#x62DF;&#x5B9E;&#x73B0;-csrftoken-&#x6821;&#x9A8C;&#x7684;&#x6D41;&#x7A0B;">&#x5728;&#x7F51;&#x7AD9;A&#x4E2D;&#x6A21;&#x62DF;&#x5B9E;&#x73B0; csrf_token &#x6821;&#x9A8C;&#x7684;&#x6D41;&#x7A0B;</h4>
<ul>
<li>&#x6DFB;&#x52A0;&#x751F;&#x6210; csrf_token &#x7684;&#x51FD;&#x6570;</li>
</ul>
<pre><code class="lang-python"><span class="hljs-comment"># &#x751F;&#x6210; csrf_token &#x51FD;&#x6570;</span>
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">generate_csrf</span><span class="hljs-params">()</span>:</span>
    <span class="hljs-keyword">return</span> bytes.decode(base64.b64encode(os.urandom(<span class="hljs-number">48</span>)))
</code></pre>
<ul>
<li>&#x5728;&#x6E32;&#x67D3;&#x8F6C;&#x8D26;&#x9875;&#x9762;&#x7684;&#xFF0C;&#x505A;&#x4EE5;&#x4E0B;&#x51E0;&#x4EF6;&#x4E8B;&#x60C5;&#xFF1A;<ul>
<li>&#x751F;&#x6210; csrf_token &#x7684;&#x503C;</li>
<li>&#x5728;&#x8FD4;&#x56DE;&#x8F6C;&#x8D26;&#x9875;&#x9762;&#x7684;&#x54CD;&#x5E94;&#x91CC;&#x9762;&#x8BBE;&#x7F6E; csrf_token &#x5230; cookie &#x4E2D;</li>
<li>&#x5C06; csrf_token &#x4FDD;&#x5B58;&#x5230;&#x8868;&#x5355;&#x7684;&#x9690;&#x85CF;&#x5B57;&#x6BB5;&#x4E2D;</li>
</ul>
</li>
</ul>
<pre><code class="lang-python"><span class="hljs-decorator">@app.route(&apos;/transfer&apos;, methods=[&quot;POST&quot;, &quot;GET&quot;])</span>
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">transfer</span><span class="hljs-params">()</span>:</span>
    ...
    <span class="hljs-comment"># &#x751F;&#x6210; csrf_token &#x7684;&#x503C;</span>
    csrf_token = generate_csrf()

    <span class="hljs-comment"># &#x6E32;&#x67D3;&#x8F6C;&#x6362;&#x9875;&#x9762;&#xFF0C;&#x4F20;&#x5165; csrf_token &#x5230;&#x6A21;&#x677F;&#x4E2D;</span>
    response = make_response(render_template(<span class="hljs-string">&apos;temp_transfer.html&apos;</span>, csrf_token=csrf_token))
    <span class="hljs-comment"># &#x8BBE;&#x7F6E;csrf_token&#x5230;cookie&#x4E2D;&#xFF0C;&#x7528;&#x4E8E;&#x63D0;&#x4EA4;&#x6821;&#x9A8C;</span>
    response.set_cookie(<span class="hljs-string">&apos;csrf_token&apos;</span>, csrf_token)
    <span class="hljs-keyword">return</span> response
</code></pre>
<ul>
<li>&#x5728;&#x8F6C;&#x8D26;&#x6A21;&#x677F;&#x8868;&#x5355;&#x4E2D;&#x6DFB;&#x52A0; csrf_token &#x9690;&#x85CF;&#x5B57;&#x6BB5;</li>
</ul>
<pre><code class="lang-html"><span class="hljs-tag">&lt;<span class="hljs-title">form</span> <span class="hljs-attribute">method</span>=<span class="hljs-value">&quot;post&quot;</span>&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">input</span> <span class="hljs-attribute">type</span>=<span class="hljs-value">&quot;hidden&quot;</span> <span class="hljs-attribute">name</span>=<span class="hljs-value">&quot;csrf_token&quot;</span> <span class="hljs-attribute">value</span>=<span class="hljs-value">&quot;{{ csrf_token }}&quot;</span>&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">label</span>&gt;</span>&#x8D26;&#x6237;&#xFF1A;<span class="hljs-tag">&lt;/<span class="hljs-title">label</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">input</span> <span class="hljs-attribute">type</span>=<span class="hljs-value">&quot;text&quot;</span> <span class="hljs-attribute">name</span>=<span class="hljs-value">&quot;to_account&quot;</span> <span class="hljs-attribute">placeholder</span>=<span class="hljs-value">&quot;&#x8BF7;&#x8F93;&#x5165;&#x8981;&#x8F6C;&#x8D26;&#x7684;&#x8D26;&#x6237;&quot;</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">br</span>/&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">label</span>&gt;</span>&#x91D1;&#x989D;&#xFF1A;<span class="hljs-tag">&lt;/<span class="hljs-title">label</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">input</span> <span class="hljs-attribute">type</span>=<span class="hljs-value">&quot;number&quot;</span> <span class="hljs-attribute">name</span>=<span class="hljs-value">&quot;money&quot;</span> <span class="hljs-attribute">placeholder</span>=<span class="hljs-value">&quot;&#x8BF7;&#x8F93;&#x5165;&#x8F6C;&#x8D26;&#x91D1;&#x989D;&quot;</span>&gt;</span><span class="hljs-tag">&lt;<span class="hljs-title">br</span>/&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">input</span> <span class="hljs-attribute">type</span>=<span class="hljs-value">&quot;submit&quot;</span> <span class="hljs-attribute">value</span>=<span class="hljs-value">&quot;&#x8F6C;&#x8D26;&quot;</span>&gt;</span>
<span class="hljs-tag">&lt;/<span class="hljs-title">form</span>&gt;</span>
</code></pre>
<ul>
<li>&#x8FD0;&#x884C;&#x6D4B;&#x8BD5;&#xFF0C;&#x8FDB;&#x5165;&#x5230;&#x8F6C;&#x8D26;&#x9875;&#x9762;&#x4E4B;&#x540E;&#xFF0C;&#x67E5;&#x770B; cookie &#x548C; html &#x6E90;&#x4EE3;&#x7801;</li>
</ul>
<p><img src="../assets/CSRF_TOKEN&#x8BBE;&#x7F6E;&#x503C;.png" alt=""></p>
<ul>
<li>&#x5728;&#x6267;&#x884C;&#x8F6C;&#x8D26;&#x903B;&#x8F91;&#x4E4B;&#x524D;&#x8FDB;&#x884C; csrf_token &#x7684;&#x6821;&#x9A8C;</li>
</ul>
<pre><code class="lang-python"><span class="hljs-keyword">if</span> request.method == <span class="hljs-string">&quot;POST&quot;</span>:
    to_account = request.form.get(<span class="hljs-string">&quot;to_account&quot;</span>)
    money = request.form.get(<span class="hljs-string">&quot;money&quot;</span>)
    <span class="hljs-comment"># &#x53D6;&#x51FA;&#x8868;&#x5355;&#x4E2D;&#x7684; csrf_token</span>
    form_csrf_token = request.form.get(<span class="hljs-string">&quot;csrf_token&quot;</span>)
    <span class="hljs-comment"># &#x53D6;&#x51FA; cookie &#x4E2D;&#x7684; csrf_token</span>
    cookie_csrf_token = request.cookies.get(<span class="hljs-string">&quot;csrf_token&quot;</span>)
    <span class="hljs-comment"># &#x8FDB;&#x884C;&#x5BF9;&#x6BD4;</span>
    <span class="hljs-keyword">if</span> cookie_csrf_token != form_csrf_token:
        <span class="hljs-keyword">return</span> <span class="hljs-string">&apos;token&#x6821;&#x9A8C;&#x5931;&#x8D25;&#xFF0C;&#x53EF;&#x80FD;&#x662F;&#x975E;&#x6CD5;&#x64CD;&#x4F5C;&apos;</span>
    print(<span class="hljs-string">&apos;&#x5047;&#x88C5;&#x6267;&#x884C;&#x8F6C;&#x64CD;&#x4F5C;&#xFF0C;&#x5C06;&#x5F53;&#x524D;&#x767B;&#x5F55;&#x7528;&#x6237;&#x7684;&#x94B1;&#x8F6C;&#x8D26;&#x5230;&#x6307;&#x5B9A;&#x8D26;&#x6237;&apos;</span>)
    <span class="hljs-keyword">return</span> <span class="hljs-string">&apos;&#x8F6C;&#x8D26; %s &#x5143;&#x5230; %s &#x6210;&#x529F;&apos;</span> % (money, to_account)
</code></pre>
<p>&#x8FD0;&#x884C;&#x6D4B;&#x8BD5;&#xFF0C;&#x7528;&#x6237;&#x76F4;&#x63A5;&#x5728;&#x7F51;&#x7AD9; A &#x64CD;&#x4F5C;&#x6CA1;&#x6709;&#x95EE;&#x9898;&#xFF0C;&#x518D;&#x53BB;&#x7F51;&#x7AD9;B&#x8FDB;&#x884C;&#x64CD;&#x4F5C;&#xFF0C;&#x53D1;&#x73B0;&#x8F6C;&#x8D26;&#x4E0D;&#x6210;&#x529F;&#xFF0C;&#x56E0;&#x4E3A;&#x7F51;&#x7AD9; B &#x83B7;&#x53D6;&#x4E0D;&#x5230;&#x8868;&#x5355;&#x4E2D;&#x7684; csrf_token &#x7684;&#x9690;&#x85CF;&#x5B57;&#x6BB5;&#xFF0C;&#x800C;&#x4E14;&#x6D4F;&#x89C8;&#x5668;&#x6709;<strong>&#x540C;&#x6E90;&#x7B56;&#x7565;</strong>&#xFF0C;&#x7F51;&#x7AD9;B&#x662F;&#x83B7;&#x53D6;&#x4E0D;&#x5230;&#x7F51;&#x7AD9;A&#x7684; cookie &#x7684;&#xFF0C;&#x6240;&#x4EE5;&#x5C31;&#x89E3;&#x51B3;&#x4E86;<strong>&#x8DE8;&#x7AD9;&#x8BF7;&#x6C42;&#x4F2A;&#x9020;</strong>&#x7684;&#x95EE;&#x9898;</p>
<h2 id="&#x5728;-flask-&#x9879;&#x76EE;&#x4E2D;&#x89E3;&#x51B3;-csrf-&#x653B;&#x51FB;">&#x5728; Flask &#x9879;&#x76EE;&#x4E2D;&#x89E3;&#x51B3; CSRF &#x653B;&#x51FB;</h2>
<p>&#x5728; Flask &#x4E2D;&#xFF0C; Flask-wtf &#x6269;&#x5C55;&#x6709;&#x4E00;&#x5957;&#x5B8C;&#x5584;&#x7684; csrf &#x9632;&#x62A4;&#x4F53;&#x7CFB;&#xFF0C;&#x5BF9;&#x4E8E;&#x6211;&#x4EEC;&#x5F00;&#x53D1;&#x8005;&#x6765;&#x8BF4;&#xFF0C;&#x4F7F;&#x7528;&#x8D77;&#x6765;&#x975E;&#x5E38;&#x7B80;&#x5355;</p>
<h3 id="&#x5728;-flaskform-&#x4E2D;&#x5B9E;&#x73B0;&#x6821;&#x9A8C;">&#x5728; FlaskForm &#x4E2D;&#x5B9E;&#x73B0;&#x6821;&#x9A8C;</h3>
<ul>
<li>&#x8BBE;&#x7F6E;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684; secret_key<ul>
<li>&#x7528;&#x4E8E;&#x52A0;&#x5BC6;&#x751F;&#x6210;&#x7684; csrf_token &#x7684;&#x503C;</li>
</ul>
</li>
</ul>
<pre><code class="lang-python">app.secret_key = <span class="hljs-string">&quot;#&#x6B64;&#x5904;&#x53EF;&#x4EE5;&#x5199;&#x968F;&#x673A;&#x5B57;&#x7B26;&#x4E32;#&quot;</span>
</code></pre>
<ul>
<li>&#x5728;&#x6A21;&#x677F;&#x7684;&#x8868;&#x5355;&#x4E2D;&#x6DFB;&#x52A0;&#x4EE5;&#x4E0B;&#x4EE3;&#x7801;</li>
</ul>
<pre><code class="lang-html"><span class="hljs-tag">&lt;<span class="hljs-title">form</span> <span class="hljs-attribute">method</span>=<span class="hljs-value">&quot;post&quot;</span>&gt;</span>
    {{ form.csrf_token() }}
    {{ form.username.label }} {{ form.username }}<span class="hljs-tag">&lt;<span class="hljs-title">br</span>/&gt;</span>
    {{ form.password.label }} {{ form.password }}<span class="hljs-tag">&lt;<span class="hljs-title">br</span>/&gt;</span>
    {{ form.password2.label }} {{ form.password2 }}<span class="hljs-tag">&lt;<span class="hljs-title">br</span>/&gt;</span>
    {{ form.submit }}
<span class="hljs-tag">&lt;/<span class="hljs-title">form</span>&gt;</span>
</code></pre>
<ul>
<li>&#x6E32;&#x67D3;&#x51FA;&#x6765;&#x7684;&#x524D;&#x7AEF;&#x9875;&#x9762;&#x4E3A;&#xFF1A;</li>
</ul>
<p><img src="../assets/flaskwtf_csrftoken.png" alt=""></p>
<blockquote>
<p>&#x8BBE;&#x7F6E;&#x5B8C;&#x6BD5;&#xFF0C;cookie &#x4E2D;&#x7684; csrf_token &#x4E0D;&#x9700;&#x8981;&#x6211;&#x4EEC;&#x5173;&#x5FC3;&#xFF0C;&#x4F1A;&#x81EA;&#x52A8;&#x5E2E;&#x6211;&#x4EEC;&#x8BBE;&#x7F6E;</p>
</blockquote>
<h3 id="&#x5355;&#x72EC;&#x4F7F;&#x7528;">&#x5355;&#x72EC;&#x4F7F;&#x7528;</h3>
<ul>
<li>&#x8BBE;&#x7F6E;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684; secret_key<ul>
<li>&#x7528;&#x4E8E;&#x52A0;&#x5BC6;&#x751F;&#x6210;&#x7684; csrf_token &#x7684;&#x503C;</li>
</ul>
</li>
</ul>
<pre><code class="lang-python">app.secret_key = <span class="hljs-string">&quot;#&#x6B64;&#x5904;&#x53EF;&#x4EE5;&#x5199;&#x968F;&#x673A;&#x5B57;&#x7B26;&#x4E32;#&quot;</span>
</code></pre>
<ul>
<li>&#x5BFC;&#x5165; flask_wtf.csrf &#x4E2D;&#x7684; CSRFProtect &#x7C7B;&#xFF0C;&#x8FDB;&#x884C;&#x521D;&#x59CB;&#x5316;&#xFF0C;&#x5E76;&#x5728;&#x521D;&#x59CB;&#x5316;&#x7684;&#x65F6;&#x5019;&#x5173;&#x8054; app </li>
</ul>
<pre><code class="lang-python"><span class="hljs-keyword">from</span> flask.ext.wtf <span class="hljs-keyword">import</span> CSRFProtect
CSRFProtect(app)
</code></pre>
<ul>
<li>&#x5982;&#x679C;&#x6A21;&#x677F;&#x4E2D;&#x6709;&#x8868;&#x5355;&#xFF0C;&#x4E0D;&#x9700;&#x8981;&#x505A;&#x4EFB;&#x4F55;&#x4E8B;&#x3002;&#x4E0E;&#x4E4B;&#x524D;&#x4E00;&#x6837;:</li>
</ul>
<pre><code class="lang-html"><span class="hljs-tag">&lt;<span class="hljs-title">form</span> <span class="hljs-attribute">method</span>=<span class="hljs-value">&quot;post&quot;</span>&gt;</span>
    {{ form.csrf_token }}
    ...
<span class="hljs-tag">&lt;/<span class="hljs-title">form</span>&gt;</span>
</code></pre>
<ul>
<li>&#x4F46;&#x5982;&#x679C;&#x6A21;&#x677F;&#x4E2D;&#x6CA1;&#x6709;&#x8868;&#x5355;&#xFF0C;&#x4F60;&#x4ECD;&#x9700;&#x8981; CSRF &#x4EE4;&#x724C;:</li>
</ul>
<pre><code class="lang-html">
<span class="hljs-tag">&lt;<span class="hljs-title">form</span> <span class="hljs-attribute">method</span>=<span class="hljs-value">&quot;post&quot;</span> <span class="hljs-attribute">action</span>=<span class="hljs-value">&quot;/&quot;</span>&gt;</span>
    <span class="hljs-tag">&lt;<span class="hljs-title">input</span> <span class="hljs-attribute">type</span>=<span class="hljs-value">&quot;hidden&quot;</span> <span class="hljs-attribute">name</span>=<span class="hljs-value">&quot;csrf_token&quot;</span> <span class="hljs-attribute">value</span>=<span class="hljs-value">&quot;{{ csrf_token() }}&quot;</span> /&gt;</span>
<span class="hljs-tag">&lt;/<span class="hljs-title">form</span>&gt;</span>
</code></pre>
<blockquote>
<p>&#x540E;&#x7EED;&#x9879;&#x76EE;&#x4E2D;&#x4F1A;&#x4F7F;&#x7528;&#x5230;&#x6B64;&#x529F;&#x80FD;</p>
</blockquote>

                    
                    </section>
                
                
                </div>
            </div>
        </div>

        
        <a href="../mo-ban/flask-wtfbiao-dan.html" class="navigation navigation-prev " aria-label="Previous page: Flask-WTF表单"><i class="fa fa-angle-left"></i></a>
        
        
        <a href="../shu-ju-ku.html" class="navigation navigation-next " aria-label="Next page: 数据库"><i class="fa fa-angle-right"></i></a>
        
    </div>
</div>

        
<script src="../gitbook/app.js"></script>

    
    <script src="../gitbook/plugins/gitbook-plugin-toggle-chapters/toggle.js"></script>
    

    
    <script src="../gitbook/plugins/gitbook-plugin-search/lunr.min.js"></script>
    

    
    <script src="../gitbook/plugins/gitbook-plugin-search/search.js"></script>
    

    
    <script src="../gitbook/plugins/gitbook-plugin-sharing/buttons.js"></script>
    

    
    <script src="../gitbook/plugins/gitbook-plugin-fontsettings/buttons.js"></script>
    

<script>
require(["gitbook"], function(gitbook) {
    var config = {"toggle-chapters":{},"highlight":{},"search":{"maxIndexSize":1000000},"sharing":{"facebook":true,"twitter":true,"google":false,"weibo":false,"instapaper":false,"vk":false,"all":["facebook","google","twitter","weibo","instapaper"]},"fontsettings":{"theme":"white","family":"sans","size":2}};
    gitbook.start(config);
});
</script>

        <!-- body:end -->
    </body>
    <!-- End of book Flask框架 -->
</html>
